This invention relates generally to computer security software, and more particularly to enforcing restrictions on an application based on the application's reputation.
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Modem malware is often designed to provide financial gain to the attacker. For example, malware can surreptitiously capture important information, such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, malware can provide hidden interfaces that allow an attacker to access and control the compromised computer.
While classical malware was usually mass-distributed to many computers, modern malware is often targeted and delivered to only a relative handful of computers. For example, a Trojan horse program can be designed to target computers in a particular department of a particular enterprise. Likewise, a false email can include a phishing attack that is directed to only customers of a certain bank or other electronic commerce site. Mass-distributed malware can often be detected and disabled by conventional security software, which uses techniques such as signature scanning and behavior monitoring heuristics to detect the malware. However, these techniques are less effective for detecting targeted threats, since there are fewer instances of the same malware and the security software might not be configured to recognize it.
Moreover, even mass-distributed malware is becoming harder to detect. A malicious website might automatically generate new malicious code for every few visitors. As a result, the malware is widely-distributed, but only a small number of users have the exact same code; hence, it becomes impractical to generate signatures and use signature scanning-based techniques to detect the malware. Sometimes, the different versions of the malware perform different functions, which also makes the malware difficult to detect through heuristics and other techniques.
Further, security companies that analyze malware to develop signatures, heuristics, and other techniques for detecting it receive a large number of malware submissions. The security companies sometimes have no way to effectively measure the threat posed by submitted malware. For example, the security companies might not know whether submitted software is truly malicious or how widely a particular piece of malware is distributed. As a consequence, the security companies have a difficult time ranking or triaging the malware submissions to focus on analyzing the submissions that constitute the greatest threats.
These problems have affected reputation-based systems that use black listing to block suspected malware or white listing to allow only approved clean software. Black listing methods are collapsing under the sheer volume of fingerprints that are now needed to identify actively mutating and proliferating malware. Similarly, white list policies, which only allow known good software to run, are too incomplete and therefore too restrictive for consumer environments—and even most enterprise environments. Maintenance and timely distribution of pure white list databases of known good applications cannot keep pace with the distribution of legitimate software, resulting in too much legitimate software being blocked because the white list database is out of date. Accordingly, both black listing and white listing solutions suffer due to the high rate at which new malware and legitimate software are developed, as these systems may not properly deal with new, unknown code.
Some previous systems have used virtual sandboxing, similar to application virtualization, to allow unknown sites to operate on virtual copies of system resources. Other systems have used application resourcing to create duplicate copies of sensitive resources when modified by unknown applications. But these solutions are simply binary; the application is either provided access to real resources or to a copy based on whether the application is known or unknown to the system. Therefore, there is a need in the art for new ways to protect a client from malware while allowing legitimate software to operate and use the client's resources.